TROJ_EXEDOT.SMA checks and reports to certain URLs if certain processes are running on the system. It also attempts to download and execute more malicious files (the sites it attempts to download files from are now offline).

The dropped file, detected as TROJ_DLOAD.SMAD, is named mstmp, as can be seen below.

TROJ_EXEDOT.SMA meanwhile uses lib.dll as file name. Both the mstmp and lib.dll keywords rose in search rankings, which indicates that users were possibly looking for more information on what they are supposed to be. Based on infection reports from Japan, this may be a targeted attack aimed at Japanese users.

Further Analysis

In this attack, various Java exploits were used. In addition, we found that in some cases, the malware payload that is placed on users’ systems depend on what Java vulnerability was used. In at least some cases, the ultimate payload was the fake antivirus Security Tool This particular fake antivirus was also seen in recent Gumblar attacks. (Gumblar attacks have been seen in Japan since 2009 and continue to target Japanese users to this day.)

The detection name TROJ_DLOAD.SMAD includes many different files with different hashes, making detection more difficult. The binaries also used anti-debugging techniques to make analysis more complicated.

The inserted scripts also used obfuscation techniques to disguise their routines, as shown below.

Conclusion

Because we have not yet found the final payload, we cannot yet tell what the actual intent of this attack is. However, we can say that Web threats are becoming more sophisticated, increasing the threat to users.

To protect themselves, users should keep their applications and security software updated at all times, both to ensure that exposure to vulnerabilities are minimized and that the latest protection is always available.

We will provide more information on this attack as it becomes available.